Following Data Classification Levels, Vietnam has released draft circular for comments, proposing security requirements for different levels of data, per their data classification framework. These security requirements exclude data from the Ministry of Defence and the Ministry of Public Security.
This regulation proposes baseline (a) technical requirements, including network infrastructure safety; server security; application security and data security, as well as (b) management requirements such as general policy; organization and personnel; design and construction management; operational management; testing, assessment and risk management.
The Circular proposes the following requirements:
1. Information Security Assurance Plans
- For information Levels 1, 2, 3, information security levels must be sufficient but should also consider the possibility of sharing between information systems for solutions to protect and share resources, so as to optimize performance and avoid system redundancies and duplicate investments.
- For Levels 4 and 5, the information security assurance plans need to be designed to ensure availability, segregation and limit the impact on the entire system when one component in the system is affected.
2. Information Security Audits and Compliance
- These will be required for information Levels 3, 4, and 5, with compliance and reporting requirements detailed in Articles 8 and 9 of the Circular. This include any newly-built and expanded/upgraded systems.
3. Cloud Computing
- If Cloud Computing is deployed, specific requirements for logical and physical separation are detailed in the Circular, with stricter separation for network and storage requirements for Level 4 and 5 (see Article 8, Clause 6).
4. Information Security Risk Management Plan required
- An Information Security Risk Management plan is now required for all information Levels, with higher requirements for Level 3 and above.
5. System termination/ exit strategy required
- System termination/exit plans are now required for all information Levels, with higher requirements for Level 3 and above.
The MIC Public Consultation closes on 11 May 2022, and submissions can be put through via their website.
Access Partnership is closely monitoring these updates from Vietnam. If you would like us to draft a response for submission, or for more information please contact May-Ann at [email protected].
Data Classification Framework for Vietnam
The data classification framework for Vietnam has been established in Decree 85/2016/ND-CP on the security of information systems by classification, involving five Levels.
Level 1. Serves internal operations of an organization or agency and only processes public information.
Level 2. Either (1) an information system that serves internal operations of an organization or agency, processes private information and personal information of users but does not handle classified state information, or (2) an information system that serves the people and enterprises in one of these manners: a) Provide information and online public services at level 2 or lower as per the law; b) Provide online services that are not stated in the list of conditional business services; c) Provide other online services of processing private and personal information of less than 10,000 users, or 3. A system of information infrastructure that is of use to an organization or agency.
Level 3. Either (1) An information system that processes classified state information or services the national defense and security and whose sabotage compromises the defense and security of the country, or (2) an information system that serves the people and enterprises in one of these manners: a) Provide information and online public services at level 3 or higher as per the law; b) Provide online public services that are defined in the list of conditional business services; c) Provide other online services of processing private and personal information of 10,000 or more users, or (3) a system of shared information infrastructure that is of use to agencies and organizations in an industry, a province or some provinces, or (4) an industrial maneuver information system that directly services the maneuver and operation of ordinary activities of buildings of grade II, III or IV as per the regulated gradation of construction.
Level 4. Either (1) an information system that processes classified state information or services the national defense and security and whose sabotage gravely compromises the defense and security of the country, or (2) a national information system that services the development of the electronic government, functions on round-the-clock basis and does not halt without prior schedule, or (3) a system of shared information infrastructure that services agencies and organizations on nation-wide scale and round-the-clock basis and does not halt without prior schedule, or (4) an industrial maneuver information system that directly services the maneuver and operation of ordinary activities of buildings of grade I as per the regulated gradation of construction.
Level 5. Either (1) an information system that processes classified state information or services the national defense and security and whose sabotage causes excessively grave detriment to the defense and security of the country, or (2) an information system that services the centralized storage of particularly vital information and data of the country, or (3) a system of national information infrastructure that connects Vietnam with the world, or (4) an industrial maneuver information system that directly services the maneuver and operation of ordinary activities of special-graded buildings as per the regulated gradation of construction or vital buildings concerning national security according to legal regulations on national security, or (5) Other information systems at the discretion of the Prime Minister.
Subscribe to our news alerts here.
